Public Comments: April 2004 – Communications privacy

Background:

31 Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail and Address Privacy Concerns.. — Thirty one privacy and civil liberties organizations have signed a letter urging Google to suspend its Gmail service until the privacy issues are adequately addressed. The letter also requests that Google clarify its written information policies regarding data retention and data sharing among its business units.

Google’s proposed Gmail service and the practices and policies of its business units raise significant and troubling questions.

First, Google has proposed scanning the text of all incoming emails for ad placement. The scanning of confidential email violates the implicit trust of an email service provider. Further, the unlimited period for data retention poses unnecessary risks of misuse.

Second, Google’s overall data retention and correlation policies are problematic in their lack of clarity and broad scope. Google has not set specific, finite limits on how long it will retain user account, email, and transactional data. And Google has not set clear written policies about its data sharing between business units.

Third, the Gmail system sets potentially dangerous precedents and establishes reduced expectations of privacy in email communications. These precedents may be adopted by other companies and governments and may persist long after Google is gone.

We urge you to suspend the Gmail service until the privacy issues are adequately addressed.

Email Scanning in Google’s Proposed Gmail Service

The email text scanning infrastructure that Google has built is powerful and global in reach. Google has not created written policies to date that adequately protect consumers from the unintended consequences of building this structure. It is, in fact, arguable that no policy could adequately protect consumers from future abuses. The societal consequences of initiating a global infrastructure to continually monitor the communications of individuals are significant and far- reaching with immediate and long-term privacy implications.

Currently, individuals may have the understanding that Google’s system is not that different in nature from scanning messages for spam, which is a common practice today. There is a fundamental difference, however. With Gmail, individuals’ incoming emails will be scanned and seeded with ads. This will happen every time Gmail subscribers open their emails to re-read them, no matter how long they have been stored. Inserting new content from third party advertisers in incoming emails is fundamentally different than removing harmful viruses and unwanted spam.

Another potential misconception about the Gmail system is that the scanning will take place in isolation. The email is scanned, and ad text is delivered. But that is not the end of the story. The delivery of the ad text based on emails is a continual “on the fly” stream. This technology requires a substantial supply chain of directory structures, databases, logs, and a long memory. Auditing trails of the ad text are kept, and the data could be correlated with the data Google collects via its other business units such as its search site and its networking site, Orkut.

Google has countered criticism of Gmail by highlighting that a computer, not a human, will scan the content of the e-mail, thereby making the system less invasive. We think a computer system, with its greater storage, memory, and associative ability than a human’s, could be just as invasive as a human listening to the communications, if not more so.

That the Gmail scanning and monitoring is being used for advertising right now is distracting, because it is a transient use. Scanning personal communications in the way Google is proposing is letting the proverbial genie out of the bottle. Today, Google wants to make a profit from selling ads. But tomorrow, another company may have completely different ideas about how to use such an infrastructure and the data it captures.

Google could — tomorrow — by choice or by court order, employ its scanning system for law enforcement purposes. We note that in one recent case, the Federal Bureau of Investigation obtained a court order compelling an automobile navigation service to convert its system into a tool for monitoring in-car conversations. How long will it be until law enforcement compels Google into a similar situation?

Google has been quick to state that it does not intend to correlate or share consumer data between its business units. But unless Google puts a consumer promise into its privacy policy that states it will never correlate the data, then Google is not putting its money where its mouth is. In a nation of laws, Google needs to make its promises in writing.

Gmail’s Potential Conflict with International Law

The Gmail system may conflict with Europe’s privacy laws, specifically, Directive 95/46/EC, also called the EU Privacy Directive. This directive states, among other things, that users’ consent must be informed, specific, and unambiguous (pursuant to Article 7(a) of Dir. 95/46/EC).

As it has been proposed, and based on the current Gmail privacy policy, the consent of EU-based Gmail users cannot necessarily be considered informed, specific, and unambiguous in regards to the scanning, storage and further processing of their e-mails. The need for informed, specific, and unambiguous consent also applies to the potential linking of EU citizens’ e-mails to their search histories. Additional issues with data retention may also exist under the EU Privacy Directive.

The Dangers of Lowered Privacy Expectations in the Email Medium

Ultimately, however, this discussion is not solely about Google. It is about the global tools Google is building, and the ways these tools and systems stand to alter how individuals perceive the sanctity of private communications in the electronic sphere. These perceptions and standards may persist long after Google as a company is gone.

Google needs to realize that many different companies and even governments can and likely will walk through the email scanning door once it is opened. As people become accustomed to the notion that email scanning for ad delivery is acceptable, “mission creep” is a real possibility. Other companies and governments may have very different ideas about data correlation than Google does, and may have different motivations for scanning the body of email messages. Google itself, in the absence of clear written promises and policies, may experience a change of course and choose to profit from its large stores of consumer data culled from private communications.

The lowered expectations of email privacy that Google’s system has the potential to create is no small matter. Once an information architecture is built, it functions much like a building — that building may be used by many different owners, and its blueprints may be replicated in many other places.

Google’s technology is proprietary, but the precedents it sets are not.

Conclusion

We request the following of Google:

1. First, Google must suspend its implementation of scanning the full text of emails for determining ad placement.
2. Second, Google must clarify its information retention and data correlation policy amongst its business units, partners, and affiliates. This means that Google must set clear data retention and deletion dates and establish detailed written policies about data sharing and correlation amongst its business units and partners.

To score is human. Ranking individuals by grades and other performance numbers is as old as human society. Consumer scores — numbers given to individuals to describe or predict their characteristics, habits, or predilections — are a modern day numeric shorthand that ranks, separates, sifts, and otherwise categorizes individuals and also predicts their potential future actions. This new report by Pam Dixon and Robert Gellman explores this issue of predictive scores and privacy.

This Jan. 30, 2014 report discusses a new right to restrict disclosure of health information under the updated HIPAA health privacy rule. The new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure” gives patients the right to request that their health care provider not report or disclose their information to their health plans when they pay for medical services in full. Navigating the new right will take effort and planning for patients to utilize effectively. This substance of this report is about the new patient right to restrict disclosure, and how patients can use it to protect health privacy.

This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations. Report authors: Bob Gellman and Pam Dixon.